An ASP.NET request that has lots of form keys, files, or JSON payload members fails with an exception

Summary

Microsoft security update MS11-100 limits the maximum number of form keys, files, and JSON members to 1000 in an HTTP request. Because of this change, ASP.NET applications reject requests that have more than 1000 of these elements. HTTP clients that make these kinds of requests will be denied, and an error message will appear in the web browser. The error message will usually have an HTTP 500 status code. This new limit can be configured on a per-application basis. Please see the "Resolution" section for configuration instructions.

Symptoms

ASP.NET requests that have lots of form keys, files, or JSON payload receive an error response from the server. The Application log on the server has a Warning entry with a Source that is a specific version of ASP.NET, and an Event ID of 1309. The event log contains one of the following messages:

Cause

The Microsoft security update that security bulletin MS11-100 addresses changes the default maximum number of form keys, files, and JSON members that ASP.NET will accept in a request to 1,000. This change was made to address the Denial of Service vulnerability that the Microsoft security bulletin MS11-100 documents.

Resolution

Applications that reach this limit for form keys or files can modify the ASP.NET appSetting aspnet:MaxHttpCollectionKeys, as shown below in an ASP.NET application’s configuration file. This setting addresses error message 1 and error message 2 from the "Symptoms" section.

Applications that hit this limit for JSON payloads can modify the ASP.NET appSetting aspnet:MaxJsonDeserializerMembers, as shown below in an ASP.NET application’s configuration file. This setting addresses error message 3 from the "Symptoms" section.